puppet: Add a teleport server.

See https://goteleport.com/docs/architecture/overview/ for the general architecture of a Teleport cluster. This commit adds a Teleport auth[1] and proxy[2] server. The auth server serves as a CA for granting time-bounded access to users and authenticating nodes on the cluster; the proxy provides access and a management UI. [1] https://goteleport.com/docs/architecture/authentication/ [2] https://goteleport.com/docs/architecture/proxy/
2021-06-02 01:41:02 +00:00 · 2021-06-02 01:41:02 +00:00 · 1cdf14d195
parent 6143cb6e73
commit 1cdf14d195
7 changed files with 136 additions and 0 deletions
--- a/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
+++ b/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
@ -0,0 +1,8 @@
+[program:teleport_server]
+command=/usr/local/bin/teleport start --config=/etc/teleport_server.yaml
+priority=10
+autostart=true
+autorestart=true
+user=root
+redirect_stderr=true
+stdout_logfile=/var/log/teleport_server.log
--- a/puppet/zulip_ops/files/teleport_server.yaml
+++ b/puppet/zulip_ops/files/teleport_server.yaml
@ -0,0 +1,31 @@
+# See https://goteleport.com/docs/config-reference/ and
+# https://goteleport.com/docs/admin-guide/#configuration
+teleport:
+  ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
+
+auth_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3025
+  cluster_name: teleport.zulipchat.net
+  authentication:
+    type: local
+    second_factor: on
+    u2f:
+      app_id: https://teleport.zulipchat.net
+      facets:
+        - https://teleport.zulipchat.net:443
+        - https://teleport.zulipchat.net
+        - teleport.zulipchat.net:443
+        - teleport.zulipchat.net
+
+proxy_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3023
+  web_listen_addr: 0.0.0.0:443
+  public_addr: teleport.zulipchat.net:443
+  acme:
+    enabled: "yes"
+    email: zulip-ops@zulip.com
+
+ssh_service:
+  enabled: no
--- a/puppet/zulip_ops/manifests/profile/teleport.pp
+++ b/puppet/zulip_ops/manifests/profile/teleport.pp
@ -0,0 +1,31 @@
+class zulip_ops::profile::teleport {
+  include zulip_ops::profile::base
+  include zulip_ops::teleport::base
+
+  file { '/etc/teleport_server.yaml':
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    source => 'puppet:///modules/zulip_ops/teleport_server.yaml',
+  }
+  file { "${zulip::common::supervisor_conf_dir}/teleport_server.conf":
+    ensure  => file,
+    require => [ Package[supervisor], Package[teleport], File['/etc/teleport_server.yaml'] ],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_server.conf',
+    notify  => Service[$zulip::common::supervisor_service],
+  }
+
+  # https://goteleport.com/docs/admin-guide/#ports
+  # Port 443 is outward-facing, for UI
+  zulip_ops::firewall_allow { 'teleport_server_ui': port => 443 }
+  # Port 3023 is outward-facing, for teleport clients to connect to.
+  zulip_ops::firewall_allow { 'teleport_server_proxy': port => 3023 }
+  # Port 3034 is outward-facing, for teleport servers outside the
+  # cluster to connect back to establish reverse proxies.
+  zulip_ops::firewall_allow { 'teleport_server_reverse': port => 3024 }
+  # Port 3025 is inward-facing, for other nodes to look up auth information
+  zulip_ops::firewall_allow { 'teleport_server_auth': port => 3025 }
+}
--- a/puppet/zulip_ops/manifests/teleport/base.pp
+++ b/puppet/zulip_ops/manifests/teleport/base.pp
@ -0,0 +1,12 @@
+class zulip_ops::teleport::base {
+  include zulip::supervisor
+
+  $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo"
+  exec{ 'setup-apt-repo-teleport':
+    command => "${setup_apt_repo_file} --list teleport",
+    unless  => "${setup_apt_repo_file} --list teleport --verify",
+  }
+  Package { 'teleport':
+    require => Exec['setup-apt-repo-teleport'],
+  }
+}
--- a/scripts/setup/apt-repos/teleport/bionic.list
+++ b/scripts/setup/apt-repos/teleport/bionic.list
@ -0,0 +1 @@
+deb https://deb.releases.teleport.dev/ stable main
--- a/scripts/setup/apt-repos/teleport/focal.list
+++ b/scripts/setup/apt-repos/teleport/focal.list
@ -0,0 +1 @@
+deb https://deb.releases.teleport.dev/ stable main
--- a/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
+++ b/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
+e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
+DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
+9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
+nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
+RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
+LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
+GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
+o/++vhZsKaS7yLHDGOLPT+x15ComG2gupmRkbATvUddztlsfF+tD97laT9eaLB1W
+zxszqr8+LxP961wmbS2j+ZBbXyrPr1Fln/TdyFAhkIMJ+J5hZB+NcjRUwUoB7nOd
+FbTxtnyJb2iaJNCJHJQVA85IYzUpXA3CDdgUHF810kVBcBPBtLhZC5ybQARAQAB
+tCtHcmF2aXRhdGlvbmFsLCBJbmMgPGluZm9AZ3Jhdml0YXRpb25hbC5jb20+iQJU
+BBMBCAA+FiEEDF6LpWWOMg0bAxF5yH7VOmKCxBEFAl+R3LYCGwMFCRLMAwAFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQyH7VOmKCxBFfxxAAiXWJm86oZtVdAlp1
+pzpKeV0pwgrnt7Uk8fu5tYpdE/oVMnwcdsDDQucItGtHGfjmzs3Cr8/praekenf1
+9iHSz422OpIGzCI4VfXaFPVfzbV1w7cSOnceY6lPnKUMrRBKKJX5Nw/6LZS40gsQ
+BoeZxe0MXB4tBc4dY30f1MQ44amRYmtTA7wep+ymVRfkPnHNnIrsdYGldbfPsbPO
+PUX8ZnWZiuI0+NgX3oBOl6YY4JehBJj61Ukx1DPHHLhhundHumChYFn+LBIZxD3O
+B9uoRzUzwUIM0N9IUjpGvtkqtm7Vbs6/bDxI4Owgsa7vXpEXZ2qD0AIle7sD0Fjl
+F19o2mXmEeQp9Fl4OrkZCURCQvPq9UCh6Nu0a1+SnbG+qXyyvqszy2tkV4xmcF4w
+Gib0SVT8RR08NeJXkHtBscnecgUA1BTH8J8RnUeQXZhUn51bVJk4JaDnEXp8VEP2
+gNce+oUY2XQtLDVzHysGhexDrWk8ycl/zvwyxKv+kj5QhjXugHkOMnW53mdMe3N/
+gwsV+kJUm6NdtLtTAOkky/GfkIGTWNQPD2/42T+0cA9lTVxihh+wz9tgA1ZbtVOK
+P2DNA10rsCuzGPFn8d6Khymt0o66dgfEloy9Y14leoqUCMPU3ibLP6bYuow2AJUz
+KcvTgmfjP1/ghNXI7E2vgNi8wta5Ag0EX5HctgEQALx4btbP47LwrIqB4loog2sT
+pac7fdbA+YVeqP/9KoLw1ZB+5DeqNKmtUHSau9mRVh8a8g7slpGhH6hxlEHr7ek/
+mA/o91jB4RGo5mfyuWcJQKRyHS4pWciEM/gK+o6lEceTdUwvKI6OrJ4koPd3HZth
+mw+xPyAdGKY3oBmrXeZ6XkuDfME8doRmuwlw/tbmje63/2j97ebiFfQcyWLH32d8
+T+yEpAj+55Qxp6aJZaDOeAuzBtyAopxGRjGsxBUF/VSUwxYb0bmwWgPIhPC77oEk
+AEMPsIsI9LJ8fQY/sOzwhyNNt+b7rgto6AFskz7urezzCuuIwMeupmC78QWGw9jM
+zHFf3R6O1KQ0v8PBYYb6BHkjzho6hTcOZO9Zh+XO4k6uEwlu+Zc0AmyHmQeQ3I8Z
+tAb//LJk9X62yNPE/8wjtEUzXqyzlLpGjRFr6kQv+6nqs8JxyCnS34Q+au2IqOnn
+iFkHj/w79mtmzR4G43wo3x1nGjyz+vTpsurmJ+qFMO0bLcE/HV8aGxs0YeQsByOc
+SU8TK6v+Wkn58LT4cvjIO5G/2UM7kucXl56hqvguvnFTLNqewWtqgS7IRuykcYgK
+HrBYb/iVH+Fb+9Th9VX7bl0ZeoH7O8RbvxKGkd90+DPsurBeIQ7S4zM9w7WnAsAC
+Sgs8owYZpHpyrK8QFD4zABEBAAGJAjwEGAEIACYWIQQMXoulZY4yDRsDEXnIftU6
+YoLEEQUCX5HctgIbDAUJEswDAAAKCRDIftU6YoLEEURID/4oQhZZPindZJHiwQqm
+0a8H1ssgZAz6E8PejoN0gbsblbOrtkGDLU8gvzksvd/9luSLRgPw++m6ut87PeMv
+MKc4UIyRb5oSgh5WE0bW9191Gkfge9DRrIdtUDG8N+oTlIWYHTXC5zlwmfMobtQE
+kFUdPbedhytYx1wgbh8KP8sLXGPXut5VqDy/EgNzqERnI5kLeiDvMsLz0xjdHpGW
+ASfJMNX120GU8Mwqa6gWvP52BB20pU9bC1VQX1qiqD6V1GpxQJ2jACKke6boiqbL
+Bdb0UgmW4XYIp4ZjLC842e0qSyfd8rt3PzYrbK/NPuXAV7f+wAhPSC18v+1Ap5Kh
+KKHRLvyUVGxwaBVedOuuC/OqJwSSLa0cQKytFK+3OJAdTYoHtsh++ScgEL/wOCXs
+gM5xmlI6Pk/6Ev0Hz/kDY5F0w4/VvSEaS/7TSkmf5JvxdueVObf5ry5O+L4J7t7y
+JwdtPhXgHR0PHidnh/02SVn8XIzHdB9OZ2i6Wr12loFZGltWdmJVkQC/cj/HBr5I
+ZizQril+7cXDI/8Hyk04d19rmjSIU49FderpNYYOv38dqaAsosYge6JzYdIzJrJH
+/DIKnSAU/a14sFUrNm+TYJmZto35hSltUxLEzLIWeR9TjpOh6VS1UzdGQh32NP+h
+oq8y1SJMCrfC9Ub5q2/ijiJWUw==
+=+Ne5
+-----END PGP PUBLIC KEY BLOCK-----
				`@ -0,0 +1 @@`
				`deb https://deb.releases.teleport.dev/ stable main`